Security architecture

A confidential conversion pipeline for sensitive files.

SecretConvert is designed for SecretVM deployment behind Traefik. Conversion tools, temporary job folders, secrets, metadata stripping, and signed download validation stay inside the backend workload environment.

Public pages are still visible to users. The confidential compute model is for backend processing, temporary files, application secrets, and sensitive workloads.

Confidential compute processing

Conversion workloads run inside the SecretVM-ready backend environment.

No third-party conversion APIs

LibreOffice, Poppler, qpdf, Ghostscript, ImageMagick, and ExifTool execute locally.

Temporary file handling

Files are written only to isolated UUID job folders under a non-public temp path.

Metadata stripping

ExifTool can remove embedded metadata before download when enabled.

Secure download links

The API returns relative, signed, expiring download URLs and never exposes public upload folders.

Auto-delete workflow

Inputs and work files are removed after conversion; outputs expire with the session.

SecretVM deployment model

Powered by SecretVM and prepared for port 3000 behind Traefik in a confidential compute deployment.

Workflow diagram

Upload, process, download, delete.

The flow is intentionally short. Less movement means fewer places for sensitive documents to leak.

1. Browser upload

The client sends selected files to the local SecretConvert deployment. Original filenames are not used for server storage.

2. UUID job isolation

The API creates a random UUID job folder and writes random safe filenames under a non-public temporary path.

3. Local conversion

Open-source tools execute inside the container: LibreOffice, Poppler, qpdf, Ghostscript, ImageMagick, and ExifTool.

4. Signed download

Outputs are exposed only through signed, expiring job URLs. Upload inputs are removed after conversion.

5. TTL cleanup

A cleanup routine removes job folders older than the configured ten-minute retention window.

What is protected

The backend accepts uploads through API routes, stores them in a private temporary job directory, converts them with local binaries, optionally strips metadata, and signs download URLs with an HMAC secret. Jobs expire according to FILE_TTL_MINUTES, with a default of ten minutes.

What is not automatically hidden

SecretVM protects backend processing, temporary files, secrets, and workloads from the infrastructure boundary it is designed to defend. It does not make public files private again, hide documents shared elsewhere, or prevent a user from downloading and redistributing converted files.

No public upload directoryNo original filename loggingNo document text loggingNo metadata loggingNo external converter APIsNo third-party tracking scripts